I have some questions regarding the setup of pulse secure on a Linux desktop running Ubuntu 17.10. Pulse version is 5.3r3.0-b1021:
1. I if understand correctly, I currently need two types of certificates to authenticate myself. First, a SSL client certificate used by the pulse UI to login on the web portal, and then a PCS device certificate to be downloaded from the server. Is that correct?
2. I already own the SSL client certificate. I imported it in firefox, and it allows me to login on the web portal. I also added it to the pulse certificate store, using the following command line:
/usr/local/pulse/PulseClient_x86_64.sh install_certificates -inpfx mycert.pfx Certficate is installing by user: "jr" Please make sure that client certificates to be installed by logged in DESKTOP user only. Do you want to continue[y/n]: y install_certificate : install_certificates -inpfx mycert.pfx Extracting Private Key from mycert.pfx Enter Import Password: MAC verified OK Extracting Public Key from mycert.pfx Enter Import Password: MAC verified OK Filename : new2.pfx Password: Public Key new2-pub Private Key /home/jr/.pulse_secure/pulse/certificates/mycert-priv.pem No key exist in gnome-keyring for certificate mycert-pub Private Key added to gnome keyring successfully. Successfully added certificate to Pulse Certificate store.
Looks good. But still, the pulseui is not able to login:
I'm confused: is the install_certificates command meant to be used to install the PCS server certificate only? But then, how I am supposed to provide the client certificate to the UI?
Any help much appreciated!
Which Linux OS are you using. Certificate authentication is not supported on Cent OS 6.4 and 6.9
Could you please perform the following steps and check whether it works:
# DEB based OS
cp /path/to/pcs_server_cert.crt /usr/local/share/ca-certificates
# RPM based OS
cp /path/to/pcs_server_cert.crt /usr/share/pki/ca-trust-source/anchors
In any case request you to please try out the procedure above, and check whether Cert. Auth. works. If it does not, then you could check for any client certificate restrictions are configured at Users > User Realms > Specific User Realm > Authentication Policy > Certificate section. If any rules are defined, then ensure that the client certificate matches the rule properly
Hi @csuchindra! Thanks a lot for the feedback.
Ok, I'll ask our administrator to provide the PCS server cerficate. I guess that he can follow the steps described in this knowledge base article to get it: https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40127
I'll try then to add it to my system. I'm pretty sure that the client certificate I'm using is the correct one, since I can use it to authenticate myself in firefox and IE.
Also, if the PCS Server Certificate is not Self Signed, then, you will have to install the CA certificate (the certificate that signed the PCS Server Certificate) instead
Hum, I still can't go past the login screen. I added the certificate provided by our administrator to the list of trusted CA. I also tried to install the client certificates with the complete and partial certificate chain, but nothing works.
The pulse UI is using webkit and libsoup to handle the client certificate authentication, I'll try to setup a demo app to debug this further...
With the above settings (namely placing the Server's Issuer certificate in client machine's CA certificate folder, and installing the client certificate), it should ideally be possible to perform Cert. Auth. However, in this case, since the error is persisting even with the above steps, I feel we should look at the client side logs to see if we get a clue (~/.pulse_secure/pulse/pulsesvc.log). Is it possible to paste a snip of the happenings in the log when login attempt takes place? Also, what is the error that is thrown in the webkit UI?
Sorry for the delayed answer. The notifications for new messages are somehow not working.
Here is what is my log pulsvc log file says:
20180425172724.491595 pulsesvc[p6718.t6718] pulseui.info Protocol :direct Credential : (pulseProxy.cpp:60)
20180425172724.491619 pulsesvc[p6718.t6718] pulseui.info Proxy used is NULL (pulseUi.cpp:721)
20180425172724.491636 pulsesvc[p6718.t6718] pulseui.info Proxy Host is NULL (pulseUi.cpp:722)
20180425172724.491651 pulsesvc[p6718.t6718] pulseui.info Proxy Port is 0 (pulseUi.cpp:723)
20180425172724.491666 pulsesvc[p6718.t6718] pulseui.info Proxy UserName is NULL (pulseUi.cpp:724)
20180425172724.491681 pulsesvc[p6718.t6718] pulseui.info Proxy Password is NULL (pulseUi.cpp:725)
20180425172724.491695 pulsesvc[p6718.t6718] pulseui.error Proxy is not used/set (pulseUi.cpp:755)
20180425172724.491711 pulsesvc[p6718.t6718] pulseui.info Proxy object is delete (pulseProxy.cpp:28)
20180425172724.497128 pulsesvc[p6718.t6718] pulseui.info About to start VPN connection: MyProfile, baseUrl: https://my.company.web.portal (pulseUi.cpp:412)
Not much as you can see. The error entry regarding the proxy is irrelevant I assume.
In the pulseUI web-browser comes the error you see in the screenshot in my first post. You get exactly the same error from any browser if you try to connect without having a compatible client certificate...
I know for sure that my client certificate is the right one (it works in all browsers to authenticate myself), but somehow the pulse client fails to use it adequatly...
Sorry for the delay again
Yes, the proxy details in the log are not relevant. May be enabling detailed logging in the client side (if not enabled), would provide more details. This can be done by File > Logs > Log Level > Detailed. Request you to please try that
Also, hope you have installed the certificate as the non-root user. If you have installed the certificate as root user, and try connecting using the client as non-root user, it would fail. In case that is the issue, then request you to please install the certificate as a non-root user, and try logging in. Please don't forget to run PulseClient_x86_64.sh command "without" sudo
I am somehow not able to access the image that you have attached in the first post. Tried 3 different browsers and the behavior is the same. I will try to get access to the image